I had an unexpected payment come out of my Paypal account, which didn't relate to any domains I owned and made me worried. It turned out that this was from a client's account. A month or two before, I had paid for an email mailbox in my client's account using my own Paypal account. Oops! It turns out that this automatically pre-authorises ALL future payments from that account to use my Paypal details.

I think this is completely wrong - Paypal authorisation should be for a single transaction only. We should be CLEARLY WARNED before making such a commitment for future payments.

The good news is that I can invoice my client to retrieve the money, I can de-authorise the rogue Paypal permission from within my Paypal account settings, and their customer services were very helpful in letting me know where the payment had come from and what domains it related to.